The Equifax data breach, discovered in 2017, was one of history’s most devastating identity theft-related cyberattacks. It exposed the personal and financial data of 147 million Americans and thousands of Canadian and UK citizens. How did that happen?
About the attack
Equifax Inc. is one of the three major U.S. credit reporting agencies. It holds sensitive financial information about North American citizens, including credit card numbers, banking information, loans, mortgages, jobs, and anything related to a person’s financials.
The attack was carried out between May 13 and July 30, 2017, and was only discovered on July 29, 2017. The attackers targeted their unpatched Apache Struts web application framework and managed to access sensitive data in their data bases.
The exploited vulnerability
Hackers targeted CVE-2017-5638, a remote code execution (RCE) vulnerability in Apache Struts (a component used for web input handling), discovered on March 6, 2017. Equifax failed to patch the vulnerability even after public warnings and internal alerts.
The exposed data
The exposed data included full legal names of individuals, over 145 million social security numbers in the U.S. alone, dates of birth, current and past mailing addresses, 209,000 credit card numbers, 17 million driver’s license numbers, and internal credit dispute files.
The impact on Equifax
On July 29, 2017 a suspicious activity was flagged in Equifax systems, but it was disclosed publicly only on September 7, 2017, six weeks after discovery, drawing criticism from the public and stakeholders.
The incident eventually led to the resignation of Equifax’s CEO, CIO, and CSO. The company offered free credit monitoring to its customers and incurred in over $700 million settlement with FTC, CFPB and fifty states in the U.S. The fallout included a $425 million FTC fine for consumer restitution, multiple lawsuits, including a class action and a state-level investigation, a downgrade from S&P and Moody’s for poor risk management, and heavy criticims for negligence during a congressional hearing.
Who was behind the attack?
The Equifax data breach was ultimately attributed to a group of Chinese military hackers. In February 2020, the U.S. Department of Justice (DOJ) indicted four members of China’s People’s Liberation Army (PLA) for carrying out the 2017 Equifax breach. The four belonged to the PLA Unit 61398, known for cyber-espionage activities. These individuals are believed to be part of China’s Military intelligence apparatus focused on gathering economic and personal data.
Unlike ransomware or other financially motivated cybercrime, the Equifax breach was suspected to be state-sponsored espionage to gather massive personal data intended for intelligence profiling, social engineering, and tracking individuals globally.
Despite the charges, no direct arrest have occurred. The hackers remain in China and the Chinese Government has denied involvement, as is typical with state-level cyber incidents.
Lessons learnt from the Equifax data breach
Equifax failed to protect their customers’ data in multiple ways:
- Unpatched systems: the Apache Struts vulnerability was left open despite known exploit risks.
- Lack of segmentation: once inside the system, attackers moved laterally with ease.
- Inadequate encryption: sensitive data was accessible without full encryption.
- Slow incident response: there was a significant gap between detection and disclosure.
- Poor internal controls: Admin credentials were reportedly stored in plain text.
Always monitor and apply patches to high-risk software (especially frameworks), know what’s running and what’s exposed in your environment, limit movement across systems once breached, encrypt data at rest, and enforce least privilege.
The Equifax data breach was one of the major cyberattacks publicly linked to a nation-state for the purpose of economic espionage rather than profit.
